3 Million Hacked Hotel Keycards – What Could Go Wrong?

The current trajectory of technological advancement points towards a world where everyday objects are increasingly digitized and connected to the cloud, under the guise of immense convenience. From adjusting your fridge temperature with a simple tap to setting your television to your favorite show before you arrive home with your phone, this future is alluring.

However, amidst these conveniences lies a flip side – security concerns. There’s something inherently problematic about this tech-savvy future, especially when it comes to security. Engineers, developers, and designers often fail to prioritize security from the outset, and accountability is lacking. The recent headline-making incident involving the compromise of Saflok’s hotel lock system, potentially exposing three million hotel room locks, for example, clearly highlights this issue.

Vulnerabilities in Hotel Lock Systems

Following the audacious MGM hack last year by the infamous “Star Fraud” gang, which caused a staggering $30 million in potential loss, the hospitality industry finds itself again grappling with security concerns. The recent breach of Saflok’s hotel lock system left as many as 3 million hotel locks susceptible to unauthorized access within seconds, impacting numerous hospitality chains that rely on this system. This sophisticated yet relatively simple hack involved exploiting RFID and encryption mechanisms using a spare keycard.

Fortunately, ethical security researchers unearthed this vulnerability. In doing so, they illuminated weaknesses in both Dormakaba’s encryption and the underlying RFID system they employ, known as MIFARE Classic. Through exploitation of these vulnerabilities, the hackers demonstrated the alarming ease and speed with which Saflok keycard locks can be bypassed. Their method entails acquiring any keycard from a target hotel—whether by booking a room or obtaining a used keycard—then extracting a specific code from that card using a $300 RFID read-write device. Subsequently, they craft two new keycards of their own which, when tapped on a lock, alter a specific piece of the lock’s data then enable the second card to open it.

The full extent of vulnerabilities in unnecessarily web-connected devices remains uncertain. Furthermore, the widespread awareness of how easily these lock systems, among others, can be compromised raises significant concerns. While we remain hopeful that life and property will stay secure until these lock vulnerabilities are addressed, the reality is that resolving interconnected device issues will demand heightened awareness, time, and extensive manual intervention. It’s imperative that swift action is taken to fortify the security of these systems to protect the safety and privacy of guests. They also serve as a warning for other, similar vulnerabilities that exist.

Pitfalls of Over-Digitalization and Neglecting Security

The hotel keycard situation highlights significant concerns related to the rampant over-digitalization present in today’s world, coupled with an excessive reliance on convenience. The escalating dependence on digital security measures, exemplified by keyless entry systems for cars and smart locks for homes, presents a formidable security threat. We find ourselves in a troubling pattern of prioritizing convenience at the expense of security. This trend is exacerbated by the lack of tangible consequences for product designers failing to incorporate security, and the tendency towards abundance often present in many first-world countries.

In the era dominated by physical keys, a perceived sense of security prevailed. Typically only one available copy of a key existed, and duplication required physical access. However, the evolution toward digital keys introduces new vulnerabilities. The prevalence of vehicle thefts, facilitated by the remote copying of entry systems without any physical interaction, underscores this vulnerability. Likewise, the proliferation of vehicle apps enabling remote tracking and control poses significant security risks. The crucial question arises: do the conveniences offered by digital systems outweigh the associated risks? It’s a pressing dilemma demanding our attention, as we continually navigate the trade-off between convenience and security.

A Key With Significant Impact

The Saflok hotel lock exposure and its lessons should not be downplayed; its ramifications are vast, affecting individuals, businesses, and the broader tech industry:

  • Hotels rely on guest trust to maintain their reputation and business
  • Guests expect safety, which is why locks are installed in the first place
  • Hotels may face lawsuits from affected guests or be compelled to implement costly security upgrades

The exposure also has significant implications for manufacturers of digital lock systems, challenging the reliability and security of their products and potentially leading to a loss of customer trust, reduced sales, and the need for substantial security enhancements.

Reevaluating Security in Digital Technologies

For the security community, this incident should serve as a clarion call, ringing loud and clear to highlight the inherent vulnerabilities in digital systems. Such occurrences instill a healthy dose of skepticism regarding the security of digital systems, spanning from smart home devices to critical infrastructure. It’s a stark reminder that even seemingly minor conveniences can pave the way for significant security vulnerabilities and hackers.

As we march forward, the primary aim of new technologies must be to ensure that convenience never comes at the expense of security and privacy. It’s imperative we embark on a thorough reevaluation of how security is integrated into digital technologies, even if it entails refraining from digitization altogether. The time has come to halt unsafe technological practices and forge a future where innovation and security are synonymous. Only then can we truly harness the potential of digital advancements while safeguarding the integrity of our systems and the privacy of our data.

Looking for support in securing your systems and data? Send us a request to get started.

 

This article was originally published in Forbes.

Awaken From Cyber Slumber: 3 Steps To Stronger Cybersecurity

Everywhere you look, you can see the profound impact of technology on our daily lives. Digital transformations have reshaped industries, empowered businesses, and brought essential services closer to our fingertips. From health information to financial transactions, educational resources, and more, our reliance on technology is undeniable. Yet, amid this technological marvel, it’s alarmingly easy for individuals and organizations alike to find themselves in a state of complacency, or what one might call “cyber slumber.” This month, as we observe Cybersecurity Awareness Month, it’s the perfect time to wake up – from C-level executives and investors, to employees, suppliers, and customers. It’s time to acknowledge both the dangers and opportunities associated with a robust cybersecurity posture.

Step 1: Understand the Stakes

Every organization, regardless of size or industry, faces a monumental challenge: to safeguard its digital assets in an ever-evolving cyber threat landscape. Failing to manage cybersecurity risks can have devastating consequences, not just for the business but for individual careers. The ever-watchful adversary is omnipresent, poised to exploit the smallest vulnerability whether it be through stealing, damaging, or holding an organization hostage. In this fast-paced world of cybersecurity, complacency is a luxury no one can afford. Failing to act promptly can result in severe financial losses, reputational damage, and legal repercussions. Success, or even just survival, in today’s digital realm requires an unrelenting focus on strong cybersecurity.

Step 2: Break the Preset Mentality

Organizations often fall into a trap where they believe that past investments in security solutions have adequately addressed specific threats. However, this mentality can lead to blind spots, as these solutions might not be updated or adapted to the evolving threat landscape. In cybersecurity nothing is set in stone, and an unwavering position of assurance can lead to an organization’s downfall. Threats evolve, the scope of risks changes, and countless transformations occur over time. Thus, a static approach to security has proven to be the “Achilles’ heel” of even the most prominent technology operations. The modern organization must discard this static mindset and embrace an agile, adaptive approach.

Step 3: Reset the Cybersecurity Landscape

Now, with the shackles of the past released, organizations have the opportunity to bolster their resilience against modern cyber threats. This can be seen as a “reset,” and is where foundational aspects of cybersecurity are reviewed and addressed one by one.

  • Employee Training: The human component remains the weakest link in many cybersecurity scenarios. Continuous awareness training empowers staff to recognize and respond to potential threats effectively.
  • Behavior Analysis: Implementing user behavior analytics helps identify unusual users, data, and application activities that may indicate a breach.
  • Incident Response Plan: A well-documented incident response plan is essential for responding swiftly and effectively to security breaches.
  • Multi-Level Proactive Security Approach: A comprehensive strategy encompasses multiple layers of proactive security measures and addresses various attack vectors.
  • Vendor Evaluation: It’s important to evaluate the cybersecurity practices of third-party vendors, as they can be potential entry points for attackers.
  • Cloud Security: Implementation of cloud-specific security measures such as identity and access management (IAM), intrusion detection, and continuous monitoring of cloud environments.
  • Continuous Assessment: Cybersecurity is an ongoing commitment that involves regular assessments to evaluate security measures, identify vulnerabilities, and adapt to emerging threats.

This recipe, along with the motivation provided by Cybersecurity Awareness Month, serves as a catalyst for resetting cybersecurity resources to address vulnerabilities and protect your organization. By continuously assessing and improving, and educating employees, and remaining vigilant, you can significantly reduce both the risks and consequences associated with cyber threats. For businesses, awakening from a state of cyber sleep is not an option; it’s a strategic imperative.

This article was originally published in Forbes, please follow me on LinkedIn.

How Climate Change Impacts IT

Whether we like it or not, our planet is facing some detrimental damage. Ntirety CEO Emil Sayegh reminds us that IT is not immune to climate change in our latest blog. 

 How Climate Change Impacts IT 

 While our heads (and data) might be in the cloud, ultimately our IT and technology infrastructure lives right here on a planet that is facing an existential crisis. Global climate change is happening, though its causes continue to be a societal debate. While we know that global climate has changed since before recorded human history, many pinpoint the source of our current pattern changes to man-made reasons, with a steady focus on greenhouse gases, carbon emissions, and energy consumption. In any case, the planet is experiencing greater weather swings and events than recent memory can extend — floods, severe heat, blizzards, hurricanes, intense rain, and droughts appear to occur more often. 

These climate events do not only have an impact on lives. Significant events can affect the continuity and survival of industries and businesses, especially when they affect information technology systems. Climate change has a tangible and increasingly critical effect on IT — it is a business continuity issue, it is a cost issue, and it is also a core strategy issue. It is high time that we consider the impact of climate change on IT. 

Elon Agrees 

Tech legend Elon Musk halted purchases of Tesla vehicles with Bitcoin last year due to the “rapidly increasing use of fossil fuels for Bitcoin mining,” which experts estimate uses more energy than entire countries such as Sweden and Malaysia. Musk is not the only one to sound the alarm on the environmental impact of Bitcoin — Treasury Secretary Janet Yellen has also warned that it uses a “staggering” amount of power. Regardless of whether Bitcoin and other cryptocurrencies are a polluters or not, the negative connotations around the impact of its enormous energy consumption on the environment has affected its valuation, and even maybe its future trajectory. 

Threats are Significant and Real 

Historical weather events such as hurricanes Sandy and Katrina continue to echo years after their arrival. However, these unstoppable and formerly outlier events occur every year with greater frequency, causing hundreds of billions in damages and massive outages. Their aftermath must always be dealt with. In February of 2021, Texas endured a weeklong flash winter storm completely out of the weather norm. Known as the Great Texas Snow Storm, “Snovid,” or the “Snowmageddon,” the economic impact of that event was a staggering $200 billion. 

Disaster preparation and recovery are just a couple of reasons why organizations must focus on continual backups, replication to offsite locations, and the drive to create zero-downtime resilience through disaster recovery plans, power backups, and nimble cloud architectures. We do this because the threats are real and becoming more frequent. With enough planning, the right partners, tools and capabilities, you can get through these incidents with a minimal interruption to the business. 

Inside a Crisis 

Rather than drive inside all the reasons why you should prepare for a crisis and how, it would be better to set the tone of what happens behind the scenes When a crisis hits, it can appear to be a frantic scene. When a severe weather event hits and creates an IT disruption, efficient operations and a return to normal operations are more critical than ever for all impacted. 

The early moments are the most critical, but recovery events include: 

  • Emergency Notifications
  • Assessment
  • Monitoring of Disaster Recovery Operations
  • Triage\Troubleshooting
  • Analysis
  • Reassessment
  • Status updates

In a pressure-filled scenario, the impact of any potential missteps is amplified, adding time to the recovery efforts. Your IT disaster recovery plan must be clear, it must be relevant, and your team must be ready to execute its well-rehearsed disaster recovery plan. This is where all the documentation, preparation, planning, and partnerships meet the road. 

Hackers Ready to Pounce 

Here’s the bad news. When a weather disaster strikes an organization or locality, it is public information. You can expect that opportunistic scammers are somewhere close behind, just like vultures. That’s where you will see the relief scams, phony fundraisers, and other schemes that follow weather events. You will also see social hack attempts and phishing attempts come through when there are known disruptions in the air. 

Unexpected disruptions and recovery efforts can open security vulnerabilities. For example, in the event where a backup or tertiary site comes online, there is an opening to take advantage of the possibility that the backup systems are exposed in any way—patches, permissions, vulnerabilities, default passwords, configuration, etc. Just as in all cybersecurity, it comes down to the weakest link in the chain. If one entry point behind the virtual security wall can be exploited during a weather-related recovery, that is all an outsider needs to find. 

Tech as Climate Readiness 

The challenge of business continuity is a core business mission, but with an increase in climate change related events around us, this challenge is more critical than ever before. Preparations, planning, and the right partnerships matter. Capabilities matter. Depending on the business in question and the locality of its IT systems, the impact that climate bears upon business continuity will vary. Almost every organization should prepare to leverage principles including offsite strategies, resiliency, security considerations, geographic strategy, and cloud technology in order to step up to this modern-day challenge. 

With one part process, another part readiness, and another part technology-focused, organizations that embrace cloud infrastructure have greater capabilities to roll through crisis scenarios because they have improved resiliency, speed, and the very nature of security is aligned with the fluid nature of cloud. We cannot know in advance the timing and arrival of every calamitous weather event, but we can prepare with better process, enabled by better tools to adapt through multiple situations. 

 Check out this piece, originally published in Forbes, here and follow me on LinkedIn. 

Cloud, Data And PET Adoption

Furry, fluffy pets bring us comfort in our homes, and similarly, Privacy Enhancing Technologies (PETs) provide comfort by keeping your data safe. The following piece, Cloud, Data and PET Adoption, From Ntirety CEO Emil Sayegh was originally published in Forbes. 

 

Cloud, Data And PET Adoption

Let’s face it— the world we live in is not a very private place. Try as we might, we can never really be left alone. We are always under the watchful eye of big data and in a state of constant connection. Before you think too long of how your fluffy cat, or a watchful dog will fit in a cloud privacy discussion, let’s break this down. Privacy Enhancing Technologies (PETs) are a suite of privacy technologies that protect data and minimize exposure of unintended personal data, placing variable control of data in the hands of the user. An increase in PET adoption could change all that in the data world. This is about new and comprehensive integrations of privacy and security technologies, largely based on cloud tools and APIs that will evolve the nature of data itself. 

Faster. Cheaper. Easier.  

There is no denying that technologies have evolved along these lines over time. In the big picture, computer, storage, and cloud infrastructures have similarly become more of a commodity than ever before. Metric barriers will continue to be broken through innovations that lead on those three characteristics. The direction for data, however, is more sophisticated than that because we continually find new use cases for data. The future of cloud technologies is interwoven with the application of data science as they head forward on a course together that is rife with the implications of privacy and security. We are only at the beginning.  

Cloud meets Privacy Enhancing Technologies (PETs) 

With roots that go back to early computing, you can find traces of PET technology and practices among everyday internet behaviors and tools. There are soft privacy technologies which are software-based, such as tunnel encryption (SSL/encryption), access controls, and data anonymity systems. There are also hard privacy technologies which include hardware VPNs, anonymous routing, and devices that leverage cryptography. Communication anonymizers hiding the real online identity (email address, IP address, etc.), Enhanced Privacy ID (EPID) , Homomorphic encryption, Non-Interactive Zero-Knowledge Proof (NIZKs), Format-Preserving encryption (FPE), Differential Privacy, and Pseudonymization are other evolving forms of PETs.  

It is an accepted fact that smartphones and apps are continually sharing location, usage data, and untold valuable information about that phone’s owner. From stores to street corners, highways, neighborhoods, and everything in between, video cameras are everywhere we can reasonably go. I haven’t even gotten to the invisible satellites that continually race around us in the heavens above and often cluttering our ability to star gaze.  

The point is that the proliferation of technology, especially those of cloud and data technologies ricocheted past what would have been more favorable in terms of privacy by design. Privacy regulations have tried and had some effect, but the industry still endures painful and devastating breaches of sensitive data. Privacy regulations have always and will always lag behind technology and hackers. Building around this and scaling up securely is clearly a task that is too difficult for many enterprises to deploy on their own. PETs can bridge that gap, and maintain privacy even as the underlying computer technology evolves and morphs. 

Collaboration: Trusting Zero Trust 

As the proposition of PET grows, what is developing is a new horizon coined as collaborative computing. Its proposition is simple. Collectively, PETs are advancing into technology stacks with the aim of creating a continuously verified plane of data privacy, advanced processing, and ultimately, a complete shift in principles of how platform-based data communicate towards an ecosystem of data collaboration. In essence, through ensuring security and privacy, sharing data becomes a more inviting focus.  

A New World of Data Enabled by Comprehensive Security 

It is clear that the drive for greater data acceleration and global availability balanced with the increasing focus on security and privacy are on track for a significant breakthrough that can unlock dynamic data markets and economies of scale. For example, marketplaces will feature the ability to federate queries and share tranches of non-specific data instantly. Whether that outside party is a partner, supplier, consumer or supply chain, regardless of country, information can be shared instantly across the world.  

The journey of cloud technologies and the data that comes with it have long counted on the tenets of security, privacy and integrity. The continuing evolution and adoption of PET, followed by the establishing field of collaborative computing are leading the way to a redefined global economy where opportunities are both unleashed and balanced by the characteristics of secure, private, and available data systems with its linchpin being a comprehensive security approach. 

 

Check out this piece, originally published in Forbes, here and follow me on LinkedIn. 

Supply Chain Firm Makes IT Transformation to AWS with Ntirety

SCM Makes IT Transformation to AWS Through Ntirety’s Continued Guidance and Support

Quickly becoming an industry leader, this supply chain and parts management company (AKA SCM) improved the parts supply-chain for a consistent and accurate flow of parts so shops can get customers back on the road.  This business sought to provide marketing, support, and safety certification training to collision repair shops and automotive parts suppliers. 

As technology in the supply-chain industry advanced and supply chain issues became problematic, the SCM IT team concluded that they had to make a digital transformation to maintain their forefront position supporting retailers and customers. It was time to leave their traditional VMware instance behind and move to AWS to enhance their overall application functionality and scalability. 

Through multiple assessments and collaborations, the SCM team successfully made the transition to AWS with Ntirety’s guidance – but the transformation didn’t end there. Along with managing and maintaining their IT environment through multiple AWS services, they saw continuous improvement through Ntirety’s Guidance Level Agreement (GLA). A step beyond the traditional Service Level Agreement (SLA), the industry-first GLA committed Ntirety to provide actionable recommendations based on their experience and the parts management company’s specific IT stack.  

Read more on how the Ntirety solution increased IT efficiency for this SCM here. 

IoT Devices May Not Be the ‘Smart’ Choice

Tis the season to start hunting for the latest and greatest gifts, and smart technology is making just about anything, from homewares to exercise equipment, hot ticket tech toys. Are these smart devices on your shopping list this holiday? Buyer beware – there’s often not any consumer warnings about the cybersecurity risks these new IoT toys can bring. 

Ntirety CEO Emil Sayegh has done deep dives into the potential hazards of smart mirrors in his article Mirror, Mirror On The Wall and the very real consequences of IoT cyber-attacks in Peloton Breach Reveals a Coming IoT Data Winter both published in Forbes.  

Mirror, Mirror On The Wall and Peloton Breach Reveals a Coming IoT Data Winter 

Recently, attacks against Internet of Things (IoT) systems have emerged. With the technology in billions of everyday items, the scope of these attacks is worrisome. Because the migration to Internet-everything is unstoppable, we’ll be seeing these security incidents for a long time unless we adjust course quickly. 

The financial motive to add Web features to every device known to mankind is clear. It seems everyone wants to be on the Web, uploading data from their bicycles, sprinkler systems, refrigerator energy consumption, and just about everything you can possibly think of.  

Consumers accept risks, sometimes unknowingly, because many assume that the worst-case scenario will not happen to them or affect them significantly. 

The Peloton Breach 

That leads us to the breach of Peloton, the at-home connected fitness equipment company. A security researcher discovered an open unauthenticated API in Peloton bikes and treadmills, which revealed an open channel to information about users such as age, weight, gender, workout statistics, and birthdays. A significant amount of scrutiny has fallen on Peloton, which made a mess of remediation communications and deadlines. It appears that this is just the beginning of issues to come, as more items from the physical world come online, handling sensitive information that few people think about protecting until it is too late. 

In the wake of consumerized products from all walks of life, IoT systems and online accounts are under significant threat. It does not matter what the product is. An increasing number of smart camera platforms are being targeted by thieves. At risk are privacy, security, and the risk of fraud, and criminal gangs are exploiting the spoils of data to their merciless benefit. 

The Smart Mirror 

A recent story getting a lot of attention involves an interconnected “smart mirror.” With a price tag of $1,495, this mirror provides tips, suggestions, can set and keep progress on fitness goals, as well as delivering streaming workout classes. The company was picked up by the sportswear giant Lululemon for $500 million last year. Under the home exercise boom precipitated by the global pandemic, the product could be finding a mainstream groove. Reviews for the new product are trending well on the positive side and Lululemon appears to have a rare winning omnichannel marketing vehicle to pin onto their main product lines. 

Clothing and marketing retailers, like Lululemon, wield a fine history of supply chain, retail, and e-commerce experience, but a device with this kind of technology introduces challenging privacy and security concerns for the consumer and the company. 

Can IoT Be Slowed? Should It? 

Once upon a time, distributed alternating current electricity was the next new thing. Electricity, lighting, and motors were added to every item available at the time. Therefore, people no longer had to crank record players, grind coffee beans by hand, or shine shoes with a pile of rags. What it meant to consumers was that convenience and functionality were clear winners. With IoT, we’re seeing a parallel application of the Web to real-world things, but with additional variables of security and privacy concerns. Consumers seem to be unable to resist these features, and the ecosystem continues its stratospheric growth. 

What many consumers don’t seem to realize is that consumer products companies are in the business of selling the products they make. They are not in the business of securing our information. If history is any indication, they have failed at protecting personal information as their products connect to billions of endpoints in your kitchen, your garage, your bedroom, and every place you live your life. 

Considering factors such as the growth of the market, continual cybersecurity threats, and financial motivations driven by successful compromises, we can expect to see more information losses, even in places thought to be safe. Worse, threats once affected only digital things, but IoT drops the cyber realm directly in the middle of our physical world. Attacks against data can be attacks against critical systems, human beings, resources, and the world around us. 

Even the smallest bits of leaked data can be enough to compose purpose-built phishing attacks or be stacked into significant waves of fraud. Unfortunately, it will take an unknown event of significant scale or personal financial impact for users to collectively wise up and demand more security from the market. 

The Need for Strict Security and Privacy Standards

Proper use of privacy settings, privacy protocols, and comprehensive security tools are an absolute necessity. Companies must be held accountable when there are significant variances, misuse of data or violations of trust. Privacy regulations in Europe, California, and Texas have done their share to elevate the element of privacy to the forefront of discussion, but it may not be enough. Certain compliance measures also demand the ability for individuals to select their privacy settings of choice. 

Protection is Comprehensive 

Companies and individuals should embrace a security-first strategy that prevents unauthorized access by enabling a comprehensive security and compliance approach to technology implementations. Outlined by outside and organization-driven compliance, an organization can achieve compliant comprehensive security with the tooling of: 

  • Strong authentication 
  •  Strong privacy rules 
  •  Third-party monitoring and validation 
  • End-to-end encryption from the user device down to the database, application, and systems 
  • Roles-based access to data and systems 
  • Data classifications 

 This is a list that goes on and on, tracking highly to the mission, capabilities, and parameters of each organization that ventures into comprehensive security. 

Proactively Protect 

Don’t let these risks make you cross the latest smart devices off your wish list— work with experts to learn how to always be proactive when it comes to protecting your data. Practicing good cybersecurity hygiene isn’t just a priority for the holidays – schedule a Security Assessment any time of the year to strength your security posture (but don’t wait til it’s too late!)